Vulnerability Management
We operate servers, endpoint systems, network devices, and many other components that each run millions of lines of code and process complex configurations.
No matter how much we work to secure these systems, it is inevitable that they will contain vulnerabilities and that new vulnerabilities will arise on a regular basis.
It’s crucial to have some form of vulnerability management in place to mitigate the amount of holes in our boat. Too many holes and we sink like a rock!
Vulnerability Management programs play a crucial role in identifying, prioritizing, and remediating vulnerabilities in our environments.
Vulnerability Scanning
Vulnerability Scanning is used to detect new vulnerabilities as they arise and then implement a remediation workflow that addresses the highest-priority vulnerabilities.
Identifying Scan Targets
The next step is to identify the systems that will be covered by the vulnerability scans. Identifying these targets (systems) is based on a few important questions:
What is the data classification of the information stored, processed, or transmitted by the system? Is it secret, classified, or top secret? Is it business critical data? Is the system exposed to the Internet or other public or semipublic networks? Is it publicly accessible via the internet? How easy can someone access the system? What services are offered by the system? Is the system a production, test, or development system? Organizations also use automated techniques to identify the systems that may be covered by a scan.
Cybersecurity professionals use scanning tools to search the network for connected systems, whether they were previously known or unknown. They use these scanning tools to build to an Asset Inventory. Asset Inventories are used to create Asset Maps. Administrators may then supplement this inventory with additional information about the type of system and the information it handles. This information then helps classify which systems are critical and which are noncritical.
A combination of Asset inventory and asset criticality information helps guide decisions about the types of scans that are performed, the frequency of those scans, and the priority administrators should place on remediating vulnerabilities detected by the scan.
Determining Scan Frequency
Vulnerability scanning tools allow the automated scheduling of scans to take the burden off administrators. Manually checking these systems would be a major pain!
Security Admins will choose a scanning schedule that meets their security, compliance, and business requirements.
Determining Scanning frequency helps determine how often the selected systems will be scanned, and this is determined by a number of factors:
The organization's risk appetite is its willingness to tolerate risk within the environment. If an organization is extremely risk averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan. Regulatory requirements, such as those imposed by the Payment Card Industry Data Security Standard (PCI DSS) or the Federal Information Security Management Act (FISMA), may dictate a minimum frequency for vulnerability scans. These requirements may also come from corporate policies. Technical constraints may limit the frequency of scanning. For example, the scanning system may only be capable of performing a certain number of scans per day, and organizations may need to adjust scan frequency to ensure that all scans complete successfully. Business constraints may limit the organization from conducting resource-intensive vulnerability scans during periods of high business activity to avoid disruption of critical processes. Licensing limitations may curtail the bandwidth consumed by the scanner or the number of scans that may be conducted simultaneously. It is usually wise to begin small and slowly expand the scope and frequency of vulnerability scans over time to avoid overwhelming the scanning infrastructure or enterprise systems.
Configuring Vulnerability Scans
In addition to scheduling automated scans and producing reports, administrators may customize the types of checks performed by the scanner, provide credentials to access target servers, install scanning agents on target servers, and conduct scans from a variety of network perspectives.
Scan Sensitivity Levels
Always be sure to become very familiar with how your scanning tool categorizes and determines sensitivity levels.
These settings determine the types of checks that the scanner will perform and should be customized to ensure that the scan meets its objectives while minimizing the possibility of disrupting the target environment
Scanning Efficiency
Templates are created before running vulnerability scans. Why make a new one every time you run a vulnerability scan? Consider saving common configuration settings in templates to allow efficient reuse of their work, saving time and reducing errors when configuring future scans. Disabling Unnecessary Plug-Ins Administrators may also improve the efficiency of their scans by configuring the specific plug-ins that will run during each scan. Each plug-in performs a check for a specific vulnerability, and these plug-ins are often grouped into families based on the operating system, application, or device that they involve. Only problem is, sometimes the plug-ins come grouped with several others and this creates excess overhead anytime you’re scanning for only one vulnerability. Disabling the plug-ins related to vulnerabilities you’re not scanning for only increases the scanning speed; And increasing scanning speeds creates more efficiency within your Vulnerability Scanning tool while also reducing the number of false positives.
Supplementing Network Scans
Basic vulnerability scans run over a network, probing a system from a distance. This provides a realistic view of the system's security by simulating what an attacker might see from another network vantage point.
However, the firewalls, intrusion prevention systems, and other security controls that exist on the path between the scanner and the target server may affect the scan results, providing an inaccurate view of the server's security independent of those controls. Many security vulnerabilities are difficult to confirm using only a remote scan. Vulnerability scans that run over the network may detect the possibility that a vulnerability exists but be unable to confirm it with confidence. Creating what we call a False Positive. To help combat inaccurate network scans, you can give server configurations over to your scanning tools. By doing this, they are able to utilize the server and conduct a more accurate report. Credentialed Scans may access operating systems, databases, and applications in order to give consistently more accurate vulnerability reports. Server Configuration Information can be found using two ways: Providing the Server Credentials Manually: Security administrators can provide the scanner with credentials that allow the scanner to connect to the target server and retrieve configuration information. This information can then be used to determine whether a vulnerability exists, improving the scan's accuracy over non-credentialed alternatives. Ex. If a vulnerability scan detects a potential issue that can be corrected by an operating system update, the credentialed scan can check whether the update is installed on the system before reporting a vulnerability. Agent-based scanning approach. Some scanners supplement the traditional server-based scanning approach to vulnerability scanning with a complementary Agent-based scanning approach. Administrators install small software agents on each target server. These agents conduct scans of the server configuration, providing an “inside-out” vulnerability scan, and then report information back to the vulnerability management platform for analysis and reporting. System administrators are typically wary of installing agents on the servers that they manage for fear that the agent will cause performance or stability issues Credentialed vs Non-Credentialed
Credentialed scanning involves the use of privileged credentials to scan systems and applications. This type of scanning provides an in-depth and comprehensive analysis of vulnerabilities and provides more accurate results. Uncredentialed scanning is conducted without the use of privileged credentials. This type of scanning is limited in its scope and provides less accurate results compared to credentialed scanning. Despite its limitations, un-credentialed scanning is still useful for identifying basic vulnerabilities that can be exploited by attackers.
Intrusive vs Non-Intrusive
Nonintrusive methods generally include a simple scan of the target system's attributes (e.g., inspecting the file system for specific files or file versions, checking the registry for specific values, scanning for missing security updates, port scanning to discover which services are listening)
An Intrusive Scan attempts to actively exploit vulnerabilities, and thus could possibly cause some disruption of operations. For this reason, it should be conducted outside normal business hours or in a test environment, if it is used at all
Scan Perspective
Comprehensive vulnerability management programs provide the ability to conduct scans from a variety of Scan Perspectives. Each scan perspective conducts the scan from a different location on the network, providing a different view into vulnerabilities.
External Scans are run from the Internet, giving administrators a view of what an attacker located outside the organization would see as potential vulnerabilities. Internal Scans are run from the inside, and shows what an insider threat would see. Internal scans might run from a scanner on the general corporate network Server-Side Scans use scanners located inside the datacenter and agents located on the servers offer the most accurate view of the real state of the server by showing vulnerabilities that might be blocked by other security controls on the network. Controls that might affect scan results include the following: Intrusion detection systems (IDSs) Intrusion prevention systems (IPSs)
Scanner Maintenance
Vulnerability management solutions still require care and feeding. Administrators should conduct regular maintenance of their vulnerability scanner to ensure that the scanning software and vulnerability feeds remain up-to-date.
Scanner Software
Scanning systems themselves aren't immune from vulnerabilities, so be sure to closely monitor your scanning software for any vulnerabilities.
Regular patching of scanner software protects an organization against scanner-specific vulnerabilities and also provides important bug fixes and feature enhancements to improve scan quality. Vulnerability Plug-in Feeds
Security researchers discover new vulnerabilities every week, and vulnerability scanners can only be effective against these vulnerabilities if they receive frequent updates to their plug-ins.
Administrators should configure their scanners to retrieve new plug-ins on a regular basis, preferably daily
Vulnerability Scanning Tools
Ideally, your organization’s vulnerability management tool kit should consist of a network vulnerability scanner, an application scanner, and a web application scanner available.
Vulnerability scanners are often leveraged for preventive scanning and testing.
Infrastructure Vulnerability Scanning
Network vulnerability Scanners are capable of probing a wide range of network-connected devices for known vulnerabilities.
They reach out to any systems connected to the network, attempt to determine the type of device and its configuration, and then launch targeted tests designed to detect the presence of any known vulnerabilities on those devices. The following tools are examples of network vulnerability scanners:
Tenable's Nessus is a well-known and widely respected network vulnerability scanning product that was one of the earliest products in this field. Qualys's vulnerability scanner is a more recently developed commercial network vulnerability scanner that offers a unique deployment model using a software-as-a-service (SaaS) management console to run scans using appliances located both in on-premises datacenters and in the cloud. Rapid7's Nexpose is another commercial vulnerability management system that offers capabilities similar to those of Nessus and Qualys. The open source OpenVAS offers a free alternative to commercial vulnerability scanners. These are four of the most commonly used network vulnerability scanners. Many organizations choose to deploy two different vulnerability scanning products in the same environment as a defense-in-depth control.
Application Scanning
Application scanning tools are commonly used as part of the software development process. These tools analyze custom-developed software to identify common security vulnerabilities.
Application testing occurs using three techniques:
Static Testing analyzes code without executing it. This approach points developers directly at vulnerabilities and often provides specific remediation suggestions. Dynamic Testing executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities. Interactive Testing combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces. Many organizations introduce testing requirements into the software release process, requiring clean tests before releasing code into production.
Web Application Scanning
Web Application scanners are specialized tools used to examine the security of web applications. These tools test for web-specific vulnerabilities, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) vulnerabilities.
They work by combining traditional network scans of web servers with detailed probing of web applications using such techniques as sending known malicious input sequences and fuzzing (automatic bug founding) in attempts to break the application. Many organizations don’t have a dedicated web application vulnerability scanner, Instead most of the time they just use the web application scanning technology that comes with their Network Scanner. Many firms use the web application scanning capabilities of traditional network vulnerability scanners, such as Nessus, Qualys, and Nexpose.
Reviewing and Interpreting Scan Reports
Vulnerability scan reports provide analysts with a significant amount of information that assists with the interpretation of the report.
These reports provide detailed information about each vulnerability that they identify. Figure 5.12 shows an example of a single vulnerability reported by the Nessus vulnerability scanner.
Common Vulnerability Scoring System (CVSS
The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities.
It provides a technique for scoring each vulnerability on a variety of measures. Cybersecurity analysts often use CVSS ratings to prioritize response actions. Analysts rate the vulnerability on 8 different measures: Each measure is given both a descriptive rating and a numeric score. The first four measures evaluate the exploitability of the vulnerability, whereas the last three evaluate the impact of the vulnerability. The eighth metric discusses the scope of the vulnerability. 8 Different Metrics used to create the CVSS score
CVSS Calculation Equation:
Validating Scan Results
Cybersecurity analysts interpreting reports often perform their own investigations to confirm the presence and severity of vulnerabilities.
These investigations may include the use of external data sources that supply additional information valuable to the analysis.
False Positives / False Negatives.
Vulnerability scanners are useful tools, but they aren't omniscient or all-knowing. They are TOOLS, and like any other tool, they’re susceptible to give out inaccurate reports.
A False Positive is a vulnerability alert that was mistakenly triggered as positive or ‘vulnerability found’, when it’s really not.
A False Negative is even more dangerous than a false positive due to the fact that an actual vulnerability or threat has/or is present, but your scanning tool reports it as non-existent.
Can be counter productive due to precious time being delegated from an analyst’s day to thoroughly investigate the ‘positive’ alert. This can take away real time from ‘True Positives’ or actual vulnerabilities. When a vulnerability scanner reports a vulnerability, this is known as a positive report. This report may either be accurate (a true positive report) or inaccurate (a false positive report).
Oppositely, when a scanner reports that a vulnerability is not present, this is a negative report. The negative report may either be accurate (a true negative report) or inaccurate (a False negative report).
Cybersecurity analysts should confirm each vulnerability reported by a scanner.
Can be as simple as verifying that a patch is missing or an operating system is outdated. In other cases, verifying a vulnerability requires a complex manual process that simulates an exploit. Ex. Verifying a SQL injection vulnerability may require actually attempting an attack against a web application and verifying the result in the backend database.
Compare Your Vulnerability Reports to Other Sources
Cybersecurity analysts interpreting these reports should also turn to other sources of security information as they perform their analysis.
Log Reviews from servers, applications, network devices, and other sources might contain information about possible attempts to exploit detected vulnerabilities. Utilize them to acquire more of a holistic understanding of how exploitations are being conducted in your network.
Secure Orchestration, Automation, and Response (SOAR)
Managing multiple security technologies can be challenging, and using the information from those platforms and systems to determine your organization's security posture and status requires integrating different data sources.
Also, managing security operations and remediating issues you identify is also an important part of security work.
SOAR platforms attempt to address all of these needs.
SOAR platforms allow you to quickly assess the attack surface of an organization, the state of systems, and where issues may exist. They also allow automation of remediation and restoration workflows.
Configuration Review
Make sure the configuration settings on your devices are securely set. This should be a very easy layer of security to tighten up.
I know it’s easy to misconfigure one thing, so be sure to periodically verify the configurations are correct.
Make sure the ACLs on your firewall are up-to-date and correct. Make sure the access controls and permission levels for your servers are locked down as well.
Threat Hunting
Threat Hunting uses the attacker mindset to search an organization's technology infrastructure for the artifacts of a successful attack.
Cybersecurity professionals engaged in threat hunting seek to adopt the attacker's mindset and imagine how hackers might seek to defeat an organization's security controls What might a hacker do? Let’s go find the evidence! A perpetual game of cat and mouse. Strategies are constantly changing Firewalls are getting stronger “Presumption of Compromise” This approach assumes that attackers have already successfully breached an organization and searches out the evidence of successful attacks. They conduct a postmortem analysis of the factors that contributed to the compromise in an effort to remediate deficiencies. By plugging any holes in the boat, they make sure something like this never happens again. Intelligence Fusion
The aggregation of multiple sources of information with the goal of locating any threats that are present in your organization.
This approach also focuses on integrating threat intelligence across all security aspects of an organization to tackle any current threats. This strategy also allows security teams to contextualize insights into malicious activities and meaningfully operations across the network. Threat Feeds
coming from 3rd parties can also useful. They’re another useful source to keep you on your toes about any relevant security issues in your network. Government agencies
constantly send out alerts you should be aware of, so it’s important to have those notifications delivered in the fastest way possible. There are Advisories and Bulletins relating to software and vulnerabilities that you need to know about
Syslog/Security Information and Event Management (SIEM)
SIEM (Syslog/Security Information and Event Management) is an approach to security management that combines security information management () and security event management (SEM) functions into one security management system. Bottom line of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. The SIEM is commonly used as a central repository Organizations will send data inputs—including logs and other useful information from systems, network security devices, network infrastructure, and many other sources—to a SIEM for it to ingest, compare to the other data it has, and then to apply rules, analytical techniques, and machine learning or artificial intelligence to the data. SIEM devices also provide alerting, reporting, and response capabilities, allowing organizations to see when an issue needs to be addressed and to track the response to that issue through its lifecycle. Ex. When a potential issue is detected, a SIEM system might log additional information, generate an alert, and instruct other security controls to stop an activity's progress. Packet Capture
The ability to capture and analyze raw packet data from network traffic, or to receive packet captures from other data sources, can be useful for incident analysis, particularly when specific information is needed about a network event. Correlating raw packet data with IDS or IPS events, firewall and WAF logs, and other security events provides a powerful tool for security practitioners Sentiment Analysis
The process by which the SIEM looks at text using natural language processing and other text analysis tools to determine emotions from textual data. Data Inputs
Are what organizations send to the SIEM for it to ingest, aggregate, and make sense of all the raw data. The SIEM then compares it to the other data it has, and then applies rules, analytical techniques, and machine learning or artificial intelligence to the data. Log Aggregation
Occurs there is a large amount of log information that is stored on the system with an extensive amount of data. Most SIEMs are going to have a dashboard that rolls up that information into a mode that can be easily identified and easy to understand what’s happening. Thanks to Log Aggregation, you can see trending of logs, how many types of security events have been received, the top devices that are reporting in, and even the severity of those Windows events. Review Reports
You’ll be able to gather information into the logs and then create a more readable view of that data, especially over a long period of time. Being able to pull important information from this very large amount of data relies on different techniques and analytics. Log Collector
Syslog is a standard way for different types of systems to send log files to a single repository. Usually a central log collector centralized in the SIEM. This takes up a lot of space, so prepare to allocate terabytes of space to store this information.
1.7 Summarize the techniques used in security assessments
